Blockchain-based transaction method and apparatus, and remitter device

ABSTRACT

Implementations of the present specification provide a blockchain-based transaction method and apparatus, and a remitter device. The method includes: calculating a transaction amount commitment, a first commitment random number ciphertext, a first transaction amount ciphertext, a second commitment random number ciphertext, and a second transaction amount ciphertext; and submitting transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into a remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into a remittee account.

TECHNICAL FIELD

Implementations of the present specification relate to the field of computer technologies, and particularly, to a blockchain-based transaction method and apparatus, and a remitter device.

BACKGROUND

The blockchain technology is a distributed database technology that protects data from being tampered with and forged by using cryptography and consensus mechanisms. With the development of computer and Internet technologies, thanks to advantages such as decentralization, openness and transparency, tamper-resistance, and trustiness, the blockchain technology is highly favored and is widely applied to many fields such as smart contracts, securities transactions, E-commerce, the Internet of Things, social communication, file storage, proof of existence, identity verification, and equity crowdfunding.

Currently, when the blockchain technology is applied to transaction scenarios, because transaction information needs to be sent to the blockchain for verification, implementation, and chaining-on, the transaction information is at risk of being leaked to a third party unrelated to the transaction.

There is a need of a technical solution for realizing privacy protection in a transaction process.

SUMMARY

The implementations of the present specification is to provide a blockchain-based transaction method and apparatus, and a remitter device, to achieve, among others, privacy protection without interaction with a remittee device.

An implementation of the present specification provides a blockchain-based transaction method, including: calculating a transaction amount commitment based on a commitment random number and a transaction amount; obtaining a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remitter account using a homomorphic encryption algorithm; obtaining a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remittee account using the homomorphic encryption algorithm; and submitting transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.

An implementation of the present specification provides a blockchain-based transaction apparatus, including: a calculation unit, configured to calculate a transaction amount commitment based on a commitment random number and a transaction amount; a first encryption unit, configured to obtain a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remitter account using a homomorphic encryption algorithm; a second encryption unit, configured to obtain a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remittee account using the homomorphic encryption algorithm; and a submission unit, configured to submit transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.

An implementation of the present specification further provides a remitter device, including: a memory, configured to store computer instructions; and a processor, configured to execute the computer instructions to implement the method described in any of the implementations of the present specification.

It can be understood from the technical solutions provided in the implementations of the present specification, the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext can be obtained by using the commitment mechanism and the homomorphic encryption mechanism. The transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext can be submitted to the blockchain, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account. On the one hand, privacy protection can be realized by using a commitment mechanism and a homomorphic encryption mechanism. On the other hand, the transaction can be smoothly completed without the remittee device by submitting the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext to the blockchain.

BRIEF DESCRIPTION OF DRAWINGS

To describe the technical solutions in the implementations of the present specification or in the existing technologies more clearly, the following is a brief description of the accompanying drawings for illustrating such technical solutions. Clearly, the accompanying drawings described below are merely some implementations of the present specification, and a person skilled in the art can derive other drawings from such accompanying drawings without making innovative efforts.

FIG. 1 is a schematic diagram illustrating blockchain-based transaction implementation according to an implementation of the present specification;

FIG. 2 is a flowchart illustrating a blockchain-based transaction method according to an implementation of the present specification;

FIG. 3 is a flowchart illustrating blockchain-based transaction implementation according to an implementation of the present specification;

FIG. 4 is a function structural diagram illustrating a blockchain-based transaction apparatus according to an implementation of the present specification; and

FIG. 5 is a function structural diagram illustrating a remitter device according to an implementation of the present specification

FIG. 6 is a diagram illustrating example environments that can be used to execute embodiments of this specification; and

FIG. 7 is a diagram illustrating an example architecture in accordance with embodiments of this specification.

DESCRIPTION OF IMPLEMENTATIONS

The description herein clearly and comprehensively describes the technical solutions in the implementations of the present specification with reference to the accompanying drawings in the implementations of the present specification. Clearly, the described implementations are merely some example implementations rather than all of the implementations of the present specification. All other implementations obtained by a person of ordinary skill in the art based on the implementations of the present specification without creative efforts shall fall within the protection scope of the present specification.

Referring to FIG. 1 and FIG. 2, an implementation of the present specification provides a blockchain-based transaction method.

In this implementation, the blockchain can be a distributed ledger that organizes multiple pieces of block data in a chain structure based on a time sequence, and ensures security, traceability, and tamper-resistance by using a cryptography algorithm. The blockchain can include a public blockchain, a consortium blockchain, a private blockchain, etc. The blockchain can be implemented based on a blockchain network. The blockchain network can include a peer-to-peer network (P2P network), etc. The blockchain network can include a plurality of blockchain nodes. Unified blockchain ledgers are maintained among blockchain nodes together, with copies of the blockchain ledger stored, respectively, on each of at least some of the plurality of nodes of the blockchain network.

In the implementations, the transaction method can be executed by a remitter device. The remitter device can join the blockchain network as a blockchain node. A remitter account can be logged into on the remitter device. The remitter account can be an account of a remitter in the blockchain. The remitter account can have a signature public-private key pair, and an encryption public-private key pair. The signature public-private key pair can include a signature public key and a signature private key that are associated. The signature private key can be used to sign transaction data to be submitted to the blockchain. The signature public key can be disclosed to other blockchain nodes in the blockchain network for the other blockchain nodes to verify the signed transaction data. The encryption public-private key pair can include a homomorphic encryption public key and a homomorphic encryption private key that are associated. The homomorphic encryption public key can be disclosed to other blockchain nodes in the blockchain network, so the other blockchain nodes can encrypt data, e.g., a remitter balance, a transaction amount, a remitter random number, and a commitment random number, by using a homomorphic encryption algorithm. The homomorphic encryption private key can be used to decrypt an encrypted ciphertext. The remitter account can also register a remitter balance commitment, a remitter random number ciphertext, and a remitter balance ciphertext in the blockchain.

The remitter balance commitment can be calculated by the remitter device based on the remitter random number and the remitter balance. The remitter random number can be a random number corresponding to the remitter account and used for constructing the remitter balance commitment. The remitter balance can be a balance of any type of resource. The resource can include, for example, securities, coupons, property, virtual currency, and funds. Specifically, the remitter balance commitment can be implemented based on any type of commitment scheme with homomorphism, such as a Pedersen commitment mechanism. Taking the Pedersen commitment mechanism as an example, the remitter balance commitment can be calculated based on equation PC(r_A,s_A)=g^(r_A)h^(s_A), where, PC(r_A,s_A) is the remitter balance commitment; r_A is the remitter random number; s_A is the remitter balance; g and h are pre-determined parameters, respectively. Certainly, the remitter balance commitment can also be implemented by using a homomorphic encryption algorithm. That is, a ciphertext obtained by encrypting the remitter balance based on the homomorphic encryption algorithm is used as the remitter balance commitment. The homomorphic encryption algorithm will be described in detail subsequently. As such, on the one hand, direct registration of the remitter balance can be avoided by registering the remitter balance commitment in the blockchain, so the remitter balance can be hidden and kept secret. On the other hand, because the commitment mechanism can support a high-efficiency zero-knowledge proof, the remitter balance commitment can make a zero-knowledge proof, e.g., a third zero-knowledge proof in the subsequent process, process involving the remitter balance in the subsequent process more efficient.

The remitter random number ciphertext can be obtained by the remitter device by encrypting the remitter random number based on the homomorphic encryption algorithm. The homomorphic encryption algorithm can include, for example, the Paillier algorithm, the Okamoto-Uchiyama algorithm, and the Damgard-Jurik algorithm. In particular, the Paillier algorithm and the Damgard-Jurik algorithm are more efficient and the encrypted ciphertext is shorter than the Okamoto-Uchiyama algorithm. Taking the Paillier algorithm as an example, the remitter random number ciphertext can be calculated based on equation PA_A(r_A)=u1^(r_A)d1^(n1), where PA_A(r_A) is the remitter random number ciphertext; r_A is the remitter random number; each of u1 and n1 is a portion of a homomorphic encryption public key of the remitter account; d1 is a random number used in the homomorphic encryption algorithm. On the one hand, the burden caused by locally keeping the remitter random number off the chain can be avoided by registering the remitter random number in the blockchain. On the other hand, direct registration of the remitter random number can be avoided by registering the remitter random number ciphertext in the blockchain, so the remitter random number can be hidden and kept secret.

The remitter balance ciphertext can be obtained by the remitter device by encrypting the remitter balance based on the homomorphic encryption algorithm. Taking the Paillier algorithm as an example, the remitter balance ciphertext can be calculated based on equation PA_A(s_A)=u1^(s_A)d2^(n1), where PA_A(s_A) is the remitter balance ciphertext; s_A is the remitter balance; each of u1 and n1 is a portion of the homomorphic encryption public key of the remitter account; d2 is a random number used in the homomorphic encryption algorithm. As such, direct registration of the remitter balance can be avoided by registering the remitter balance ciphertext in the blockchain, so the remitter balance can be hidden and kept secret.

In the implementations, the transaction method can transfer the transaction amount from the remitter account to a remittee account. The remittee account can be an account of a remittee in the blockchain. The remittee account can be logged into on a remittee device. The remittee device can join the blockchain network as a blockchain node. The transaction amount can be negotiated between the remitter and the remittee. Similar to the remitter account, the remittee account can have a signature public-private key pair, and an encryption public-private key pair. The remittee account can also register a remittee balance commitment, a remittee random number ciphertext, and a remittee balance ciphertext in the blockchain. The remittee balance commitment can be calculated by the remittee device based on the remittee random number and the remittee balance. The remittee random number ciphertext can be obtained by the remittee device by encrypting the remittee random number based on the homomorphic encryption algorithm. The remittee balance ciphertext can be obtained by the remittee device by encrypting the remittee balance based on the homomorphic encryption algorithm.

The transaction method can include the following steps. It should be noted that although the present specification provides the method operation steps in the implementations or the flowcharts, more or fewer operation steps can be included based on conventional or non-creative efforts. In addition, a sequence of the steps listed in the implementation is merely one of numerous execution sequences of the steps, and does not represent a unique execution sequence. In actual execution of an apparatus or a product, execution can be performed based on the method sequence shown in the implementation or the accompanying drawing, or performed in parallel, e.g., a parallel processor or a multi-thread processing environment.

Step S10: Calculate a transaction amount commitment based on a commitment random number and a transaction amount.

In the implementations, the commitment random number can be generated by the remitter device. The transaction amount can be negotiated between the remitter and the remittee. The transaction amount commitment can be implemented based on any type of commitment scheme with homomorphism, such as a Pedersen commitment mechanism. Taking the Pedersen commitment mechanism as an example, the transaction amount commitment can be calculated based on equation PC(r,t)=g^(r)h^(t), where, PC(r,t) is the transaction amount commitment; r is the commitment random number; t is the transaction amount; g and h are pre-determined parameters, respectively. Certainly, the transaction amount commitment can also be implemented by using the homomorphic encryption algorithm. That is, a ciphertext obtained by encrypting the transaction amount based on the homomorphic encryption algorithm is used as the transaction amount commitment. As such, the transaction amount can be hidden and kept secret by using the transaction amount commitment.

Step S12: Obtain a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remitter account using a homomorphic encryption algorithm.

In the implementations, the remitter device can obtain the first commitment random number ciphertext by encrypting the commitment random number based on the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm. Specifically, the remitter device can generate a random number for homomorphic encryption as a first encryption random number; and obtain the first commitment random number ciphertext by encrypting the commitment random number based on the homomorphic encryption public key of the remitter account and the first encryption random number using the homomorphic encryption algorithm. Taking the Paillier algorithm as an example, the first commitment random number ciphertext can be calculated based on equation PA_A(r)=u1^(r)y1^(n1), where PA_A(r) is the first commitment random number ciphertext; r is the commitment random number; each of u1 and n1 is a portion of the homomorphic cryptographic public key of the remitter account, respectively; y1 is the first encryption random number.

In the implementations, the remitter device can obtain the first transaction amount ciphertext by encrypting the transaction amount based on the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm. Specifically, the remitter device can generate a random number for homomorphic encryption as a second encryption random number; and obtain the first transaction amount ciphertext by encrypting the transaction amount based on the homomorphic encryption public key of the remitter account and the second encryption random number using the homomorphic encryption algorithm. Taking the Paillier algorithm as an example, the first transaction amount ciphertext can be calculated based on equation PA_A(t)=u1^(t)y2^(n1), where PA_A(t) is the first transaction amount ciphertext; t is the transaction amount; each of u1 and n1 is a portion of the homomorphic cryptographic public key of the remitter account, respectively; y2 is the second encryption random number.

Step S14: Obtain a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remittee account using the homomorphic encryption algorithm.

In the implementations, the remitter device can obtain the second commitment random number ciphertext by encrypting the commitment random number based on the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm. Specifically, the remitter device can generate a random number for homomorphic encryption as a third encryption random number; and obtain the second commitment random number ciphertext by encrypting the commitment random number based on the homomorphic encryption public key of the remittee account and the third encryption random number using the homomorphic encryption algorithm. Taking the Paillier algorithm as an example, the second commitment random number ciphertext can be calculated based on equation PA_B(r)=u2^(r)z1^(n2), where PA_B(r) is the second commitment random number ciphertext; r is the commitment random number; each of u2 and n2 is a portion of the homomorphic cryptographic public key of the remittee account, respectively; z1 is the third encryption random number.

In the implementations, the remitter device can obtain the second transaction amount ciphertext by encrypting the transaction amount based on the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm. Specifically, the remitter device can generate a random number for homomorphic encryption as a fourth encryption random number; and obtain the second transaction amount ciphertext by encrypting the transaction amount based on the homomorphic encryption public key of the remittee account and the fourth encryption random number using the homomorphic encryption algorithm. Taking the Paillier algorithm as an example, the second transaction amount ciphertext can be calculated based on equation PA_B(t)=u2^(t)z2^(n2), where PA_B(t) is the second transaction amount ciphertext; t is the transaction amount; each of u2 and n2 is a portion of the homomorphic cryptographic public key of the remittee account, respectively; z2 is the fourth encryption random number.

Step S16: Submit transaction data to the blockchain.

In the implementations, the transaction data can include the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext. The remitter device can submit the transaction data to the blockchain, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.

Specifically, after the transaction data is submitted to the blockchain, a consensus blockchain node in the blockchain can update the remitter balance commitment based on the transaction amount commitment; update the remitter random number ciphertext based on the first commitment random number ciphertext; update the remitter balance ciphertext based on the first transaction amount ciphertext; update the remittee balance commitment based on the transaction amount commitment; update the remittee random number ciphertext based on the second commitment random number ciphertext; and update the remittee balance ciphertext based on the second transaction amount ciphertext. The consensus blockchain node can be a blockchain node determined based on a consensus mechanism of the blockchain. As such, the transaction data can be recorded into a blockchain ledger maintained by each blockchain node in the blockchain network, so as to avoid tampering.

An updated remitter balance commitment can be a quotient of the remitter balance commitment and the transaction amount commitment. Because the remitter balance commitment and the transaction amount commitment are implemented by using a homomorphic commitment mechanism, the transaction amount can be deducted from the remitter balance and the commitment random number can be deducted from the remitter random number. For example, the remitter balance commitment can be PC(r_A,s_A)=g^(r_A)h^(s_A); the transaction amount commitment can be PC(r,t)=g^(r)h^(t); the updated remitter balance commitment can be PC(r_A−r,s_A−t)=PC(r_A,s_A)/PC(r,t)=g^((r_A−r))h^((s_A−t)).

An updated remitter random number ciphertext can be a quotient of the remitter random number ciphertext and the first commitment random number ciphertext. Because the remitter random number ciphertext and the first commitment random number ciphertext are calculated by using the homomorphic encryption algorithm, the commitment random number can be deducted from the remitter random number. For example, the remitter random number ciphertext can be PA_A(r_A)=u1^(r_A)d1^(n1); the first commitment random number ciphertext can be PA_A(r)=u1^(r)y1^(n1); the updated remitter random number ciphertext can be PA_A(r_A−r)=PA_A(r_A)/PA_A(r)=u1^(r_A−r)(d1/y1)^(n1).

An updated remitter balance ciphertext can be a quotient of the remitter balance ciphertext and the first transaction amount ciphertext. Because the remitter balance ciphertext and the first transaction amount ciphertext are calculated by using the homomorphic encryption algorithm, the transaction amount can be deducted from the remitter balance. For example, the remitter balance ciphertext can be PA_A(s_A)=u1^(s_A)d2^(n1); the first transaction amount ciphertext can be PA_A(t)=u1^(t)y2^(n1); the updated remitter balance ciphertext can be PA_A(s_A−t)=PA_A(s_A)/PA_A(t)=u1^(s_A−t)(d2/y2)^(n1).

An updated remittee balance commitment can be a product of the remittee balance commitment and the transaction amount commitment. Because the remittee balance commitment and the transaction amount commitment are implemented by using the homomorphic commitment mechanism, the transaction amount can be added to the remittee balance and the commitment random number can be added to the remittee random number. For example, the remittee balance commitment can be PC(r_B,s_B)=g^(r_B)h^(s_B); the transaction amount commitment can be PC(r,t)=g^(r)h^(t); the updated remittee balance commitment can be PC(r_B+r,s_B+t)=PC(r_B,s_B)PC(r,t)=g^((r_B+r))h^((s_B+t)). r_B is the remittee random number; s_B is the remittee balance; g and h are pre-determined parameters, respectively.

An updated remittee random number ciphertext can be a product of the remittee random number ciphertext and the second commitment random number ciphertext. Because the remittee random number ciphertext and the second commitment random number ciphertext are calculated by using the homomorphic encryption algorithm, the commitment random number can be added to the remittee random number. For example, the remittee random number ciphertext can be PA_B(r_B)=u2^(r_B)f1^(n2); the second commitment random number ciphertext can be PA_B(r)=u2^(r)z1^(n2); the updated remittee random number ciphertext can be PA_B(r_B+r)=PA_B(r_B)PA_B(r)=u2^(r_B+r)(f1z1)^(n2). r_B is the remittee random number; f1 is a random number used by the homomorphic encryption algorithm.

An updated remittee balance ciphertext can be a product of the remittee balance ciphertext and the second transaction amount ciphertext. Because the remittee balance ciphertext and the second transaction amount ciphertext are calculated by using the homomorphic encryption algorithm, the transaction amount can be added to the remittee balance. For example, the remittee balance ciphertext can be PA_B(s_B)=u2^(s_B)f2^(n2); the second transaction amount ciphertext can be PA_B(t)=u2^(t)z2^(n2); the updated remittee balance ciphertext can be PA_B(s_B+t)=PA_B(s_B)PA_B(t)=u2^(s_B+t)(f2z2)^(n2). s_B is the remittee balance; f2 is a random number used by the homomorphic encryption algorithm.

In an implementation, the remitter device can further generate a first zero-knowledge proof based on a zero-knowledge proof technique; and add the first zero-knowledge proof to the transaction data for the consensus blockchain node to verify that the transaction amount is not less than 0. The zero-knowledge proof technique can be implemented, for example, based on the zero-knowledge succinct non-interactive argument of knowledge “zkSNARK” scheme. Further, the zero-knowledge proof technique can include a range proof technique. The remitter device can generate a first range proof based on the range proof technique; and add the first range proof to the transaction data for the consensus blockchain node to verify that the transaction amount is not less than 0. The range proof technique can be implemented, for example, based on the Bulletproofs scheme or the Borromean ring signature scheme.

In an implementation, the remitter device can further generate a second zero-knowledge proof based on the zero-knowledge proof technique; and add the second zero-knowledge proof to the transaction data for the consensus blockchain node to verify that the transaction amount is not greater than the remitter balance. Further, the zero-knowledge proof technique can include the range proof technique. The remitter device can generate a second range proof based on the range proof technique; and add the second range proof to the transaction data for the consensus blockchain node to verify that the transaction amount is not greater than the remitter balance.

In an implementation, the remitter device can further generate a third zero-knowledge proof based on the zero-knowledge proof technique; and add the third zero-knowledge proof to the transaction data for the consensus blockchain node to verify that: the commitment random number for calculating the transaction amount commitment is consistent with the commitment random number for calculating the second commitment random number ciphertext, and verify that: the transaction amount for calculating the transaction amount commitment is consistent with the transaction amount for calculating the second transaction amount ciphertext, so as to avoid recording inconsistent commitment random numbers and inconsistent transaction amounts into the remitter account and the remittee account.

For example, the third zero-knowledge proof can be (C, D, E, a, b, c, d). C=g^(r)*h^(t)*; D=u2^(r)*z1*^(n2); E=u2^(t)*z2*^(n2); x=Hash(C,D,E); a=r*+xr; b=t*+xt; c=z1*z1^(x); d=z2*z2^(x). r*, t*, z1*, and z2* are random numbers generated by the remitter device and respectively correspond to the commitment random number r, the transaction amount t, the third encryption random number z1, and the fourth encryption random number z2; Hash represents a hash operation.

When verifying that all g^(a)h^(b)==CT^(x), u2^(a)c^(n2)==DM^(x), and u2^(b)d^(n2)==EN^(x) are valid, the consensus blockchain node considers that: the commitment random number for calculating the transaction amount commitment is consistent with the commitment random number for calculating the second commitment random number ciphertext, and that: the transaction amount for calculating the transaction amount commitment is consistent with the transaction amount for calculating the second transaction amount ciphertext. T is the transaction amount commitment PC(r,t); M is the second commitment random number ciphertext PA_B(r); N is the second transaction amount ciphertext PA_B(t).

In an implementation, the remitter device can calculate the first transaction amount commitment based on the first commitment random number and the transaction amount; and calculate the second transaction amount commitment based on the second commitment random number and the transaction amount. The first commitment random number and the second commitment random number can be generated by the remitter device. The first transaction amount commitment can correspond to a transaction amount to be transferred out of the remitter account. The second transaction amount commitment can correspond to a transaction amount to be transferred to the remittee account. As such, the transaction amount to be transferred out of the remitter account and the transaction amount to be transferred to the remittee account can be distinguished.

The remitter device can separately obtain the first commitment random number ciphertext and the first transaction amount ciphertext by encrypting the first commitment random number and the transaction amount based on the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm; separately obtain the second commitment random number ciphertext and the second transaction amount ciphertext by encrypting the second commitment random number and the transaction amount based on the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and submit the transaction data to the blockchain. The transaction data can include the first transaction amount commitment, the second transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the first transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the second transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.

Specifically, after the transaction data is submitted to the blockchain, the consensus blockchain node can update the remitter balance commitment based on the first transaction amount commitment; update the remitter random number ciphertext based on the first commitment random number ciphertext; update the remitter balance ciphertext based on the first transaction amount ciphertext; update the remittee balance commitment based on the second transaction amount commitment; update the remittee random number ciphertext based on the second commitment random number ciphertext; and update the remittee balance ciphertext based on the second transaction amount ciphertext.

An updated remitter balance commitment can be a quotient of the remitter balance commitment and the first transaction amount commitment; an updated remitter random number ciphertext can be a quotient of the remitter random number ciphertext and the first commitment random number ciphertext; an updated remitter balance ciphertext can be a quotient of the remitter balance ciphertext and the first transaction amount ciphertext; an updated remittee balance commitment can be a product of the remittee balance commitment and the second transaction amount commitment; an updated remittee random number ciphertext can be a product of the remittee random number ciphertext and the second commitment random number ciphertext; an updated remittee balance ciphertext can be a product of the remittee balance ciphertext and the second transaction amount ciphertext.

Further, the remitter device can further generate a fourth zero-knowledge proof based on the zero-knowledge proof technique; and add the fourth zero-knowledge proof to the transaction data for the consensus blockchain node to verify that the transaction amount for calculating the first transaction amount commitment is consistent with the transaction amount for calculating the second transaction amount commitment, so as to prevent the transaction amount transferred out of the remitter account from being inconsistent with the transaction amount transferred to the remittee account.

In an implementation, the remitter device can further obtain signature data by signing the transaction data using a signature private key of the remitter account; and add the signature data to the transaction data for the consensus blockchain node to perform signature verification.

In the implementations, the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext can be obtained by using the commitment mechanism and the homomorphic encryption mechanism. The transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext can be submitted to the blockchain, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account. On the one hand, privacy protection can be realized for transaction information such as the transaction amount by using the commitment mechanism and the homomorphic encryption mechanism. On the other hand, the transaction can be smoothly completed in the blockchain without the remittee device by submitting the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext to the blockchain. Therefore, the implementation can realize privacy protection under a non-interactive condition.

Further, the remitter account can register the remitter balance commitment, the remitter random number ciphertext, and the remitter balance ciphertext in the blockchain. The remittee account can register the remittee balance commitment, the remittee random number ciphertext, and the remittee balance ciphertext in the blockchain. On the one hand, privacy protection can be realized for both the account balance and the transaction amount. On the other hand, by registering the remitter random number ciphertext and the remittee random number ciphertext on the blockchain, the burden caused by locally keeping the remitter random number and the remittee random number off the chain can be avoided, and the risk of loss can be avoided.

Refer to FIG. 1, FIG. 2 and FIG. 3. For ease of understanding, an example scenario of an implementation of the present specification is described below.

In this implementation, assume that the remitter account can be Account_A. The remitter account Account_A can have a signature public-private key pair and an encryption public-private key pair. The remitter account Account_A can also register a remitter balance commitment PC(r_A,s_A)=g^(r_A)h^(s_A), a remitter random number ciphertext PA_A(r_A)=u1^(r_A)d1^(n1), and a remitter balance ciphertext PA_A(s_A)=u1^(s_A)d2^(n1) in the blockchain. r_A is the remitter random number; s_A is the remitter balance; g and h are pre-determined parameters; each of u1 and n1 is a portion of the homomorphic encryption public key of the remitter account; d1 and d2 are random numbers used in the homomorphic encryption algorithm.

Assume that the remittee account can be Account_B. The remittee account Account_B can have a signature public-private key pair and an encryption public-private key pair. The remittee account Account_B can also register a remittee balance commitment PC(r_B, s_B)=g^(r_B)h^(s_B), a remittee random number ciphertext PA_B(r_B)=u2^(r_B)f1^(n2), and a remittee balance ciphertext PA_B(s_B)=u2^(s_B)f2^(n2) in the blockchain. r_B is the remittee random number; s_B is the remittee balance; g and h are pre-determined parameters; each of u2 and n2 is a portion of the homomorphic encryption public key of the remittee account; f1 and f2 are random numbers used in the homomorphic encryption algorithm.

In the implementations, the example transaction of the scenario can implement the transfer of transaction amount t from the remitter account Account_A to the remittee account Account_B. Specifically, for example, the remitter device can generate a commitment random number r, a first encryption random number y1, a second encryption random number y2, a third encryption random number z1, and a fourth encryption random number z2. The remitter device can calculate the transaction amount commitment PC(r,t)=g^(r)h^(t) based on the commitment random number r and transaction amount t; obtain the first commitment random number ciphertext PA_A(r)=u1^(r)y1^(n1) by encrypting the commitment random number r based on the first encryption random number y1 and the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm; obtain the first transaction amount ciphertext PA_A(t)=u1^(t)y2^(n1) by encrypting transaction amount t based on the second encryption random number y2 and the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm; obtain the second commitment random number ciphertext PA_B(r)=u2^(r)z1^(n2) by encrypting the commitment random number r based on the third encryption random number z1 and the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; obtain the second transaction amount ciphertext PA_B(t)=u2^(t)z2^(n2) by encrypting transaction amount t based on the fourth encryption random number z2 and the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm.

In this implementation, the remitter device can generate a first zero-knowledge proofRP1, a second zero-knowledge proofRP2, and a third zero-knowledge proof RP3. The first zero-knowledge proof RP1 can be used to verify: t≥0. The second zero-knowledge proof RP2 can be used to verify: s_A−t≥0. The third zero-knowledge proof RP3 can be used to verify that the commitment random number r in PC(r,t) is consistent with the commitment random number r in PA_B(r), and verify that transaction amount t in PC(r,t) is consistent with transaction amount t in PA_B(t).

In this implementation, the remitter device can obtain signature data SIG by signing [PC(r,t), PA_A(r), PA_A(t), PA_B(r), PA_B(t), RP1, RP2, RP3] using a signature private key of the remitter account; and submit transaction data [PC(r,t), PA_A(r), PA_A(t), PA_B(r), PA_B(t), RP1, RP2, RP3, SIG] to the blockchain.

In this implementation, the blockchain network can determine a consensus blockchain node based on the consensus mechanism. By using the anti-double-spending or anti-replay mechanism of the related technologies, the consensus blockchain node can verify whether the transaction has been executed. If the transaction has been executed, the consensus blockchain node can reject the transaction.

If the transaction has not been executed, the consensus blockchain node can verify whether the signature data SIG in the transaction data is correct. If the signature data SIG is incorrect, the consensus blockchain node can reject the transaction.

If the signature data SIG is correct, the consensus blockchain node can check the first zero-knowledge proof RP1 in the transaction data to verify whether t≥0 is satisfied. If not satisfied, the consensus blockchain node can reject the transaction.

If satisfied, the consensus blockchain node can check the second zero-knowledge proofRP2 in the transaction data to verify whether s_A−t≥0 is satisfied. If not satisfied, the consensus blockchain node can reject the transaction.

If satisfied, the consensus blockchain node can check the third zero-knowledge proof RP3 in the transaction data to verify whether the commitment random number r in PC(r,t) is consistent with the commitment random number r in PA_B(r), and verify whether transaction amount t in PC(r,t) is consistent with transaction amount t in PA_B(t). If not satisfied, the consensus blockchain node can reject the transaction.

If satisfied, the consensus blockchain node can update the remitter balance commitment PC(r_A,s_A), the remitter random number ciphertext PA_A(r_A), the remitter balance ciphertext PA_A(s_A), the remittee balance commitment PC(r_B,s_B), the remittee random number ciphertext PA_B(r_B), and the remittee balance ciphertext PA_B(s_B). Specifically, an updated remitter balance commitment can be PC(r_A−r,s_A−t)=PC(r_A,s_A)/PC(r,t)=g^((r_A−r))h^((s_A−t)); an updated remitter random number ciphertext can be PA_A(r_A−r)=PA_A(r_A)/PA_A(r)=u1^(r_A−r)(d1/y1)^(n1); an updated remitter balance ciphertext can be PA_A(s_A−t)=PA_A(s_A)/PA_A(t)=u1^(s_A−t)(d2/y2)^(n1); an updated remittee balance commitment can be PC(r_B+r,s_B+t)=PC(r_B,s_B)PC(r,t)=g^((r_B+r))h^((s_B+t)); an updated remittee random number ciphertext can be PA_B(r_B+r)=PA_B(r_B)PA_B(r)=u2^(r_B+r)(f1z1)^(n2); an updated remittee balance ciphertext can be PA_B(s_B+t)=PA_B(s_B)PA_B(t)=u2^(s_B+t)(f2z2)^(n2).

Referring to FIG. 4, an implementation of the present specification further provides a blockchain-based transaction apparatus. The transaction apparatus can include the following units: a calculation unit 20, configured to calculate a transaction amount commitment based on a commitment random number and a transaction amount; a first encryption unit 22, configured to obtain a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remitter account using a homomorphic encryption algorithm; a second encryption unit 24, configured to obtain a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remittee account using the homomorphic encryption algorithm; and a submission unit 26, configured to submit transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.

Referring to FIG. 5, an implementation of the present specification further provides a remitter device. The remitter device can include a memory and a processor.

In this implementation, the memory can be implemented in any suitable way. For example, the memory can be a read-only memory, a mechanical hard disk, a solid-state drive, a USB flash drive, etc. The memory can be configured to store computer instructions.

In this implementation, the processor can be implemented in any suitable way. For example, the processor can be a microprocessor, a processor, or a computer readable medium storing computer readable program code (such as software or firmware) that can be executed by the microprocessor or the processor, a logic gate, a switch, an application-specific integrated circuit (ASIC), a programmable logic controller, or a built-in microcontroller. The processor can execute the computer instructions to perform the steps of: calculating a transaction amount commitment based on a commitment random number and a transaction amount; obtaining a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remitter account using a homomorphic encryption algorithm; obtaining a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of a remittee account using the homomorphic encryption algorithm; and submitting transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.

The implementations in the present specification are described in a progressive method. For the same or similar parts in the implementations, references can be made to each other. Each implementation focuses on a difference from other implementations. Especially, an apparatus implementation and a device implementation are basically similar to a method implementation, and therefore are described briefly. For related parts, refer to descriptions in the method implementation.

After reading the present specification, a person skilled in the art can think of any combination between some or all of the implementations enumerated in the present specification without creative efforts. These combinations are also within the scope disclosed and protected by the present specification.

In the 1990s, whether technology improvement is hardware improvement (for example, improvement of a circuit structure, such as a diode, a transistor, or a switch) or software improvement (improvement of a method procedure) can be clearly distinguished. However, as technologies develop, the current improvement for many method procedures can be considered as a direct improvement of a hardware circuit structure. A designer usually programs an improved method procedure to a hardware circuit, to obtain a corresponding hardware circuit structure. Therefore, a method procedure can be improved by using a hardware entity module. For example, a programmable logic device (PLD) (for example, a field programmable gate array (FPGA)) is such an integrated circuit, and a logical function of the programmable logic device is determined by a user through device programming. A designer performs programming to “integrate” a digital system to a single PLD, without requiring a chip manufacturer to design and manufacture a dedicated integrated circuit chip 2. In addition, at present, instead of manually manufacturing an integrated chip, this type of programming is mostly implemented by using “logic compiler” software. The programming is similar to a software compiler used to develop and write a program. Original code needs to be written in a particular programming language for compilation. The language is referred to as a hardware description language (HDL). There are many HDLs, such as the Advanced Boolean Expression Language (ABEL), the Altera Hardware Description Language (AHDL), Confluence, the Cornell University Programming Language (CUPL), HDCal, the Java Hardware Description Language (JHDL), Lava, Lola, MyHDL, PALASM, and the Ruby Hardware Description Language (RHDL). The very-high-speed integrated circuit hardware description language (VHDL) and Verilog2 are most commonly used. A person skilled in the art should also understand that a hardware circuit that implements a logical method procedure can be readily obtained once the method procedure is logically programmed by using the several described hardware description languages and is programmed into an integrated circuit.

The system, apparatus, module, or unit illustrated in the implementations can be implemented by using a computer chip or an entity, or can be implemented by using a product having a certain function. A typical implementation device is a computer. A specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, an intelligent phone, a personal digital assistant, a media player, a navigation device, an email transceiver device, a game console, a tablet computer, a wearable device, or any combination thereof.

It can be understood from the descriptions of the implementations that a person skilled in the art can clearly understand that the present specification can be implemented by using software and a necessary general hardware platform. Based on such an understanding, the technical solutions in the present specification essentially or the part contributing to the existing technology can be implemented in a form of a software product. The computer software product can be stored in a storage medium, such as a ROM/RAM, a magnetic disk, or an optical disc, and includes several instructions for instructing a computer device (which can be a personal computer, a server, a network device, etc.) to execute the method described in the implementations of the present specification or in some parts of the implementations of the present specification.

To provide further context for embodiments of this specification, and as introduced herein, distributed ledger systems (DLSs) (which can also be referred to as consensus networks, made up of peer-to-peer nodes), and blockchain networks, enable participating entities to securely, and immutably, conduct transactions and store data. Although the term blockchain is generally associated with particular networks, and/or use cases, blockchain is used herein to generally refer to a DLS without reference to any particular use case.

A blockchain is a data structure that stores transactions in a way that the transactions are immutable. Thus, the recording of transactions on a blockchain is reliable and trustworthy. A blockchain includes one or more blocks. Each block in the chain is linked to a previous block immediately before it in the chain by including a cryptographic hash of the previous block. Each block also includes a timestamp, its own cryptographic hash, and one or more transactions. Within a block, the transactions, which have already been verified by the nodes of the blockchain network, are hashed and encoded into a Merkle tree. The Merkle tree is a data structure in which each leaf node includes a hash on a corresponding transaction, and each non-leaf node includes a hash on the concatenation of the hashes in its children. With this process continuing up the tree to the root of the entire tree, the root node includes a hash that is representative of all data in the tree. A hash purporting to be of a transaction stored in the tree can be quickly verified by determining whether it is consistent with the structure of the tree.

Where a blockchain is a decentralized or at least partially decentralized data structure for storing transactions, a blockchain network is a network of computing nodes that manage, update, and maintain one or more blockchains by broadcasting, verifying and validating transactions, etc. As introduced above, a blockchain network can be provided as a public blockchain network, a private blockchain network, or a consortium blockchain network. Embodiments of this specification are described in further detail herein with reference to a consortium blockchain network. However, embodiments of this specification can be realized in any appropriate type of blockchain network.

In general, a consortium blockchain network is private among the participating entities. In a consortium blockchain network, the consensus process is controlled by an authorized set of nodes, referred to as consensus nodes, one or more of which are operated by a respective entity (a financial institution, insurance company, etc.). For example, a consortium of ten (10) entities (financial institutions, insurance companies, etc.) can operate a consortium blockchain network, each of which operates at least one node in the consortium blockchain network.

In some examples, within a consortium blockchain network, a global blockchain is provided as a blockchain that is replicated across all nodes. That is, all consensus nodes are typically in perfect state consensus with respect to the global blockchain. To achieve consensus (agreement to the addition of a block to a blockchain), a consensus protocol or algorithm is implemented within the consortium blockchain network. For example, the consortium blockchain network can implement a practical Byzantine fault tolerance (PBFT) consensus, described in further detail below.

FIG. 6 is a diagram illustrating an example of an environment 1100 that can be used to execute embodiments of this specification. In some examples, the environment 1100 enables entities to participate in a consortium blockchain network 1102. The environment 1100 includes a plurality of computing devices 1106, 1108, and a network 1110. In some examples, the network 1110 includes a local area network (LAN), wide area network (WAN), the Internet, or a combination thereof, and connects web sites, user devices (computing devices), and back-end systems. In some examples, the network 1110 can be accessed over a wired and/or a wireless communications link. In some examples, the network 1110 enables communication with, and within the consortium blockchain network 1102. In general the network 1110 represents one or more communication networks. In some cases, the network 1110 includes network hardware such as switches, routers, repeaters, electrical cables and optical fibers, light emitters and receivers, radio transmitters and receivers, and the like. In some cases, the computing devices 1106, 1108 can be nodes of a cloud computing system (not shown), or each computing device 1106, 1108 can be a separate cloud computing system including a number of computers interconnected by a network and functioning as a distributed processing system.

In the depicted example, the computing systems 1106, 1108 can each include any appropriate computing system that enables participation as a node in the consortium blockchain network 1102. Examples of computing devices include, without limitation, a server, a desktop computer, a laptop computer, a tablet computing device, and a smartphone. In some examples, the computing systems 1106, 1108 host one or more computer-implemented services for interacting with the consortium blockchain network 1102. For example, the computing system 1106 can host computer-implemented services of a first entity (user A), such as a transaction management system that the first entity uses to manage its transactions with one or more other entities (other users). The computing system 1108 can host computer-implemented services of a second entity (user_B), such as a transaction management system that the second entity uses to manage its transactions with one or more other entities (other users). In the example of FIG. 6, the consortium blockchain network 1102 is represented as a peer-to-peer network of nodes, and the computing systems 1106, 1108 provide nodes of the first entity and second entity, respectively, which participate in the consortium blockchain network 1102.

FIG. 7 depicts an example architecture 1200 in accordance with embodiments of this specification. The example architecture 1200 includes participant systems 1202, 1204, 1206 that correspond to Participant A, Participant B, and Participant C, respectively. Each participant (user, enterprise, etc.) participates in a blockchain network 1212 provided as a peer-to-peer network including a plurality of nodes 1214, at least some of which immutably record information in a blockchain 1216. Although a single blockchain 1216 is schematically depicted within the blockchain network 1212, multiple copies of the blockchain 1216 are provided, and are maintained across the blockchain network 1212, as described in further detail herein.

In the depicted example, each participant system 1202, 1204, 1206 is provided by, or on behalf of, Participant A, Participant B, and Participant C, respectively, and functions as a respective node 1214 within the blockchain network 1212. As used herein, a node generally refers to an individual system (computer, server, etc.) that is connected to the blockchain network 1212, and enables a respective participant to participate in the blockchain network. In the example of FIG. 7, a participant corresponds to each node 1214. It is contemplated, however, that a participant can operate multiple nodes 1214 within the blockchain network 1212, and/or multiple participants can share a node 1214. In some examples, the participant systems 1202, 1204, 1206 communicate with, or through, the blockchain network 1212 using a protocol (hypertext transfer protocol secure (HTTPS)), and/or using remote procedure calls (RPCs).

Nodes 1214 can have varying degrees of participation within the blockchain network 1212. For example, some nodes 1214 can participate in the consensus process (as miner nodes that add blocks to the blockchain 1216), while other nodes 1214 do not participate in the consensus process. As another example, some nodes 1214 store a complete copy of the blockchain 1216, while other nodes 1214 only store copies of portions of the blockchain 1216. For example, data access privileges can limit the blockchain data that a respective participant stores within its respective system. In the example of FIG. 2, the participant systems 1202, 1204 store respective, complete copies 1216′, 1216″, 1216″′ of the blockchain 1216. In the descriptions herein, nodes 1214 of the blockchain network 1212 are also referred to as “participant user” for descriptive purposes. In some embodiments, some or all of the participant users 1214 participate in the consensus process and are referred to as “consensus nodes”. The consensus nodes for the blockchain 1216 may also include other nodes not selected from the participant users 1214. In some other embodiments, consensus nodes for adding blocks to the blockchain 1216 do not overlap with the participant users 1214 that propose blocks to be added to the blockchain 1216.

A blockchain, such as the blockchain 1216 of FIG. 7, is made up of a chain of blocks, each block storing data. Examples of data include transaction data representative of a transaction between two or more participants. While transactions are used herein by way of non-limiting example, any appropriate data can be stored in a blockchain (documents, images, video, audio, etc.). Examples of a transaction can include, without limitation, exchanges of something of value (assets, products, services, currency, etc.) or occurrence of some events or activities. The transaction data is immutably stored within the blockchain. That is, an undetectable change cannot be made to the transaction data.

Before being stored in a block, the transaction data is hashed. Hashing is a process of transforming the transaction data, typically provided as string data, into a fixed-length hash value, typically provided as string data. It is not possible to un-hash the hash value to obtain the transaction data. Hashing ensures that even a slight change in the transaction data results in a completely different hash value. Further, and as noted above, the hash value is of a fixed length. That is, no matter the size of the transaction data the length of the hash value is fixed. Hashing includes processing the transaction data through a hash function to generate the hash value. An example of a hash function includes, without limitation, the secure hash algorithm (SHA)-256, which outputs 256-bit hash values.

Transaction data of multiple transactions are hashed and stored in a block. For example, hash values of two transactions are provided, and are themselves hashed to provide another hash. This process is repeated until, for all transactions to be stored in a block, a single hash value is provided. This hash value is referred to as a Merkle root hash, and is stored in a header of the block. A change in any of the transactions will result in change in its hash value, and ultimately, a change in the Merkle root hash.

Blocks are added to the blockchain through a consensus protocol. Multiple nodes within the blockchain network participate in the consensus protocol, and perform work to have a block added to the blockchain. Such nodes are referred to as consensus nodes. PBFT, introduced above, is used as a non-limiting example of a consensus protocol. The consensus nodes execute the consensus protocol to add transactions to the blockchain, and update the overall state of the blockchain network.

In further detail, for example, the consensus node generates a block header, hashes all of the transactions in the block, and combines the hash value in pairs to generate further hash values until a single hash value is provided for all transactions in the block (the Merkle root hash). This Merkle root hash is added to the block header. The consensus node also determines the hash value of the most recent block in the blockchain (the last block added to the blockchain) and adds the hash value of the most recent block into the block header. The consensus node also adds a nonce value, and a timestamp to the block header. The block header is hashed, which becomes the hash value of the block.

In general, PBFT provides a practical Byzantine state machine replication that tolerates Byzantine faults (malfunctioning nodes, malicious nodes, etc.). This is achieved in PBFT by assuming that faults will occur (assuming the existence of independent node failures, and/or manipulated messages sent by consensus nodes). In PBFT, the consensus nodes are provided in a sequence that includes a primary consensus node and backup consensus nodes. The primary consensus node is periodically changed. Transactions are added to the blockchain by all consensus nodes within the blockchain network reaching an agreement as to the world state of the blockchain network. In this process, messages are transmitted between consensus nodes, and each consensus nodes proves that a message is received from a specified peer node and verifies that the message was not modified during transmission.

In PBFT, the consensus protocol is provided in multiple phases with all consensus nodes beginning in the same state. To begin, a client sends a request to the primary consensus node to invoke a service operation (execute a transaction within the blockchain network). In response to receiving the request, the primary consensus node multicasts the request to the backup consensus nodes. The backup consensus nodes execute the request, and each sends a reply to the client. The client waits until a threshold number of replies are received. In some examples, the client waits for f+1 replies to be received, where f is the maximum number of faulty consensus nodes that can be tolerated within the blockchain network. The final result is that a sufficient number of consensus nodes come to an agreement on the order of the record that is to be added to the blockchain, and the record is either accepted, or rejected.

A consensus algorithm refers to a specific mechanism or terms, based on which a transaction or a block is verified and validated to be added into a blockchain. To that extent, a consensus algorithm is viewed as a specific implementation agreement adapted to follow rules of a consensus protocol. Different consensus algorithms may be created for different blockchain networks 1212 or different blockchains 1216, which all comply with a same consensus protocol.

In some blockchain networks, cryptography is implemented to maintain privacy of transactions. For example, if two nodes want to keep a transaction private, such that other nodes in the blockchain network cannot discern details of the transaction, the nodes can encrypt the transaction data. An example of cryptography includes, without limitation, symmetric encryption and asymmetric encryption. Symmetric encryption refers to an encryption process that uses a single key for both encryption (generating ciphertext from plaintext), and decryption (generating plaintext from ciphertext). In symmetric encryption, the same key is available to multiple nodes, so each node can encrypt/decrypt transaction data.

Asymmetric encryption uses keys pairs that each include a private key, and a public key, the private key being known only to a respective node, and the public key being known to any or all other nodes in the blockchain network. A node can use the public key of another node to encrypt data, and the encrypted data can be decrypted using other node's private key. For example, and referring again to FIG. 7, Participant A can use Participant B's public key to encrypt data, and send the encrypted data to Participant B. Participant B can use its private key to decrypt the encrypted data (ciphertext) and extract the original data (plaintext). Messages encrypted with a node's public key can only be decrypted using the node's private key.

Asymmetric encryption is used to provide digital signatures, which enables participants in a transaction to confirm other participants in the transaction, as well as the validity of the transaction. For example, a node can digitally sign a message, and another node can confirm that the message was sent by the node based on the digital signature of Participant A. Digital signatures can also be used to ensure that messages are not tampered with in transit. For example, and again referencing FIG. 7, Participant A is to send a message to Participant B. Participant A generates a hash of the message, and then, using its private key, encrypts the hash to provide a digital signature as the encrypted hash. Participant A appends the digital signature to the message, and sends the message with digital signature to Participant B. Participant B decrypts the digital signature using the public key of Participant A, and extracts the hash. Participant B hashes the message and compares the hashes. If the hashes are same, Participant B can confirm that the message was indeed from Participant A, and was not tampered with.

The present specification can be applied to many general-purpose or dedicated computer system environments or configurations, for example, a personal computer, a server computer, a handheld device or a portable device, a tablet device, a multi-processor system, a microprocessor-based system, a set-top box, a programmable consumption electronic device, a network PC, a minicomputer, a mainframe computer, and a distributed computing environment including any one of the previous systems or devices.

The present specification can be described in the general context of computer executable instructions executed by a computer, for example, a program module. Generally, the program module includes a routine, a program, an object, a component, a data structure, etc., executing a specific task or implementing a specific abstract data type. The present specification can also be practiced in distributed computing environments. In the distributed computing environments, tasks are performed by remote processing devices connected through a communications network. In a distributed computing environment, the program module can be located in both local and remote computer storage media including storage devices.

Although the present specification is described by using the implementations, a person of ordinary skill in the art knows that many variations of the present specification can be made without departing from the spirit of the present specification. It is expected that the appended claims include these variations without departing from the spirit of the present specification. 

What is claimed is:
 1. A blockchain-based transaction method, comprising: calculating a transaction amount commitment based on a commitment random number and a transaction amount involving a remitter account and a remitter account with respect to a blockchain; obtaining a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of the remitter account using a homomorphic encryption algorithm; obtaining a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and submitting transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.
 2. The method according to claim 1, wherein the remitter account registers a remitter balance commitment, a remitter random number ciphertext, and a remitter balance ciphertext in the blockchain; the remitter balance commitment is calculated based on a remitter random number and a remitter balance; the remitter random number ciphertext is calculated based on the remitter random number by using the homomorphic encryption algorithm; the remitter balance ciphertext is calculated based on the remitter balance by using the homomorphic encryption algorithm; and wherein the remittee account registers a remittee balance commitment, a remittee random number ciphertext, and a remittee balance ciphertext in the blockchain; the remittee balance commitment is calculated based on a remittee random number and a remittee balance; the remittee random number ciphertext is calculated based on the remittee random number by using the homomorphic encryption algorithm; the remittee balance ciphertext is calculated based on the remittee balance by using the homomorphic encryption algorithm.
 3. The method according to claim 2, wherein the transaction amount commitment, the first transaction amount ciphertext, and the first commitment random number ciphertext are recorded into the remitter account by: updating the remitter balance commitment based on the transaction amount commitment, updating the remitter random number ciphertext based on the first commitment random number ciphertext, and updating the remitter balance ciphertext based on the first transaction amount ciphertext; and  wherein the transaction amount commitment, the second transaction amount ciphertext, and the second commitment random number ciphertext are recorded into the remittee account by: updating the remittee balance commitment based on the transaction amount commitment, updating the remittee random number ciphertext based on the second commitment random number ciphertext, and updating the remittee balance ciphertext based on the second transaction amount ciphertext.
 4. The method according to claim 3, wherein an updated remitter balance commitment is a quotient of the remitter balance commitment and the transaction amount commitment; an updated remitter random number ciphertext is a quotient of the remitter random number ciphertext and the first commitment random number ciphertext; and an updated remitter balance ciphertext is a quotient of the remitter balance ciphertext and the first transaction amount ciphertext; and wherein an updated remittee balance commitment is a product of the remittee balance commitment and the transaction amount commitment; an updated remittee random number ciphertext is a product of the remittee random number ciphertext and the second commitment random number ciphertext; and an updated remittee balance ciphertext is a product of the remittee balance ciphertext and the second transaction amount ciphertext.
 5. The method according to claim 1, wherein the obtaining the first commitment random number ciphertext and the first transaction amount ciphertext includes: obtaining the first commitment random number ciphertext by encrypting the commitment random number based on a first encryption random number and the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm; and obtaining the first transaction amount ciphertext by encrypting the transaction amount based on a second encryption random number and the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm.
 6. The method according to claim 1, wherein the obtaining the second commitment random number ciphertext and the second transaction amount ciphertext includes: obtaining the second commitment random number ciphertext by encrypting the commitment random number based on a third encryption random number and the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and obtaining the second transaction amount ciphertext by encrypting the transaction amount based on a fourth encryption random number and the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm.
 7. The method according to claim 1, comprising: before the submitting the transaction data to the blockchain, generating a first zero-knowledge proof, the first zero-knowledge proof configured to verify that the transaction amount is not less than 0; wherein the transaction data includes the first zero-knowledge proof.
 8. The method according to claim 1, comprising: before the submitting the transaction data to the blockchain, generating a second zero-knowledge proof, the second zero-knowledge proof configured to verify that the transaction amount is not greater than the remitter balance; wherein the transaction data includes the second zero-knowledge proof
 9. The method according to claim 1, comprising: before the submitting the transaction data to the blockchain, generating a third zero-knowledge proof, the third zero-knowledge proof configured to verify that the commitment random number for calculating the transaction amount commitment is consistent with the commitment random number for calculating the second commitment random number ciphertext, and verify that the transaction amount for calculating the transaction amount commitment is consistent with the transaction amount for calculating the second transaction amount ciphertext; wherein the transaction data includes the third zero-knowledge proof.
 10. The method according to claim 1, comprising: before the submitting the transaction data to the blockchain, obtaining signature data by signing the transaction data using a signature private key of the remitter account; wherein the transaction data includes the signature data.
 11. The method according to claim 1, wherein the calculating the transaction amount commitment based on the commitment random number and the transaction amount includes: obtaining a first transaction amount commitment based on a first commitment random number and the transaction amount, and obtaining a second transaction amount commitment based on a second commitment random number and the transaction amount;  wherein the obtaining the first commitment random number ciphertext and the first transaction amount ciphertext by encrypting the transaction amount includes: obtaining the first transaction amount ciphertext and the first commitment random number ciphertext by encrypting the transaction amount and the first commitment random number separately based on the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm;  wherein the obtaining the second commitment random number ciphertext and the second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm includes: obtaining the second commitment random number ciphertext and the second transaction amount ciphertext by encrypting the second commitment random number and the transaction amount separately based on the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and  wherein the transaction data includes the first transaction amount commitment, the second transaction amount commitment, the first transaction amount ciphertext, the first commitment random number ciphertext, the second transaction amount ciphertext, and the second commitment random number ciphertext, for the first transaction amount commitment, the first transaction amount ciphertext, and the first commitment random number ciphertext to be recorded into the remitter account, and the second transaction amount commitment, the second transaction amount ciphertext, and the second commitment random number ciphertext to be recorded into the remittee account.
 12. The method according to claim 11, further comprising: before the submitting the transaction data to the blockchain, generating a fourth zero-knowledge proof, the fourth zero-knowledge proof configured to verify that the transaction amount for calculating the first transaction amount commitment is consistent with the transaction amount for calculating the second transaction amount commitment; wherein the transaction data further includes the fourth zero-knowledge proof.
 13. A blockchain-based transaction apparatus, comprising: a calculation unit, configured to calculate a transaction amount commitment based on a commitment random number and a transaction amount involving a remitter account and a remittee account with respect to a blockchain; a first encryption unit, configured to obtain a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of the remitter account using a homomorphic encryption algorithm; a second encryption unit, configured to obtain a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and a submission unit, configured to submit transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.
 14. A system, comprising: a memory, configured to store computer instructions; and a processor, configured to execute the computer instructions to implement acts including: calculating a transaction amount commitment based on a commitment random number and a transaction amount involving a remitter account and a remitter account with respect to a blockchain; obtaining a first commitment random number ciphertext and a first transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of the remitter account using a homomorphic encryption algorithm; obtaining a second commitment random number ciphertext and a second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on a homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and submitting transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, the first transaction amount ciphertext, the second commitment random number ciphertext, and the second transaction amount ciphertext, for the transaction amount commitment, the first commitment random number ciphertext, and the first transaction amount ciphertext to be recorded into the remitter account, and the transaction amount commitment, the second commitment random number ciphertext, and the second transaction amount ciphertext to be recorded into the remittee account.
 15. The system according to claim 14, wherein the remitter account registers a remitter balance commitment, a remitter random number ciphertext, and a remitter balance ciphertext in the blockchain; the remitter balance commitment is calculated based on a remitter random number and a remitter balance; the remitter random number ciphertext is calculated based on the remitter random number by using the homomorphic encryption algorithm; the remitter balance ciphertext is calculated based on the remitter balance by using the homomorphic encryption algorithm; and wherein the remittee account registers a remittee balance commitment, a remittee random number ciphertext, and a remittee balance ciphertext in the blockchain; the remittee balance commitment is calculated based on a remittee random number and a remittee balance; the remittee random number ciphertext is calculated based on the remittee random number by using the homomorphic encryption algorithm; the remittee balance ciphertext is calculated based on the remittee balance by using the homomorphic encryption algorithm.
 16. The system according to claim 15, wherein the transaction amount commitment, the first transaction amount ciphertext, and the first commitment random number ciphertext are recorded into the remitter account by: updating the remitter balance commitment based on the transaction amount commitment, updating the remitter random number ciphertext based on the first commitment random number ciphertext, and updating the remitter balance ciphertext based on the first transaction amount ciphertext; and  wherein the transaction amount commitment, the second transaction amount ciphertext, and the second commitment random number ciphertext are recorded into the remittee account by: updating the remittee balance commitment based on the transaction amount commitment, updating the remittee random number ciphertext based on the second commitment random number ciphertext, and updating the remittee balance ciphertext based on the second transaction amount ciphertext.
 17. The system according to claim 16, wherein an updated remitter balance commitment is a quotient of the remitter balance commitment and the transaction amount commitment; an updated remitter random number ciphertext is a quotient of the remitter random number ciphertext and the first commitment random number ciphertext; and an updated remitter balance ciphertext is a quotient of the remitter balance ciphertext and the first transaction amount ciphertext; and wherein an updated remittee balance commitment is a product of the remittee balance commitment and the transaction amount commitment; an updated remittee random number ciphertext is a product of the remittee random number ciphertext and the second commitment random number ciphertext; and an updated remittee balance ciphertext is a product of the remittee balance ciphertext and the second transaction amount ciphertext.
 18. The system according to claim 14, wherein the obtaining the first commitment random number ciphertext and the first transaction amount ciphertext includes: obtaining the first commitment random number ciphertext by encrypting the commitment random number based on a first encryption random number and the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm; and obtaining the first transaction amount ciphertext by encrypting the transaction amount based on a second encryption random number and the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm.
 19. The system according to claim 14, wherein the obtaining the second commitment random number ciphertext and the second transaction amount ciphertext includes: obtaining the second commitment random number ciphertext by encrypting the commitment random number based on a third encryption random number and the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and obtaining the second transaction amount ciphertext by encrypting the transaction amount based on a fourth encryption random number and the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm.
 20. The system according to claim 14, wherein the calculating the transaction amount commitment based on the commitment random number and the transaction amount includes: obtaining a first transaction amount commitment based on a first commitment random number and the transaction amount, and obtaining a second transaction amount commitment based on a second commitment random number and the transaction amount;  wherein the obtaining the first commitment random number ciphertext and the first transaction amount ciphertext by encrypting the transaction amount includes: obtaining the first transaction amount ciphertext and the first commitment random number ciphertext by encrypting the transaction amount and the first commitment random number separately based on the homomorphic encryption public key of the remitter account using the homomorphic encryption algorithm;  wherein the obtaining the second commitment random number ciphertext and the second transaction amount ciphertext by encrypting the commitment random number and the transaction amount separately based on the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm includes: obtaining the second commitment random number ciphertext and the second transaction amount ciphertext by encrypting the second commitment random number and the transaction amount separately based on the homomorphic encryption public key of the remittee account using the homomorphic encryption algorithm; and  wherein the transaction data includes the first transaction amount commitment, the second transaction amount commitment, the first transaction amount ciphertext, the first commitment random number ciphertext, the second transaction amount ciphertext, and the second commitment random number ciphertext, for the first transaction amount commitment, the first transaction amount ciphertext, and the first commitment random number ciphertext to be recorded into the remitter account, and the second transaction amount commitment, the second transaction amount ciphertext, and the second commitment random number ciphertext to be recorded into the remittee account. 